Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Creating AssumeRole on AWS Console for AWS Management/Member Discovery - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Creating AssumeRole on AWS Console for AWS Management/Member Discovery
KB0852923

Creating AssumeRole on AWS Console for AWS Management/Member Discovery


20999 Views Last updated : Jul 24, 2025 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Table of Contents

  • Overview
  • Procedure on Management Account
  • The Management Account 
  • Manually add the Policies to the Account 
  • Verify if the Accounts are Management or Member Account 
  • Create User and Associate Policy on Management Account 
  • Set Permissions to the user 
  • Set the ARN at the Resources (Visual Editor)
  • Set the ARN at the Resources (JSON)
  • Add Policy to the User
  • Verify the Summary of the User  
  • Procedure on Member Account
  • Create a Role
  • Add Trusted Relationship 
  • Additional Information

Overview

AWS Organization Discovery needs to have the AWS Management Account to be associated with AssumeRole and Readonly Access, this article intended to explain the creating and associating the STS: Assume Role to the Management Account and creating Trusted Relationship with Member Account

Procedure on Management Account


  • Log in to the AWS console using the Root Credentials
  • Verify the AWS Organizations
  • The AWS Organization should be having a minimum of 1 Management Account and 1 Member Account 



The Management Account 

 The Management account must be having the below policies attached for the "Amazon AWS Organization" to identify.

  • DescribeOrganization
  • DescribeAccount
  • DescribeListAccounts

 If the above policy actions are not available on the  AWS Account, the account is treated as regular account but  not as the Management Account

Manually add the Policies to the Account 

  • Log in to the Account which would you like to make as management 
  • AWS Services >> IAM >> Policies >> Create Policy 

    • Services: Choose "Organization" and "Accounts"
    • Resources: Account, Handshake, OrganizationalUnit, Policy and mark them for Any
  • Review Policy
  • Provide a Policy name and Create the Policy
  • Attach the policy to the Account  






Verify if the Accounts are Management or Member Account 

  • AWS Services >> IAM >> Organization Activity  
  • The Root will be having a list of the Accounts and some are marked as Management 






Create User and Associate Policy on Management Account 

  • AWS Services >> IAM >> Users >> Create User (We can also use the Existing users)
  • While creating the user the Access Type check for "Programmatic Access"






Set Permissions to the user 

  • Choose "Attach Existing Policies"
  • Create Policy >> Choose the Below 
  • Service: STS 
  • Under STS >> Write >> Select the Assume Role 










Set the ARN at the Resources (Visual Editor)

  • Select Resource: Specific (Not All)
  • Click on "Add ARN"
  • The Page will open to add the ARN for 
  • Account: >>>> Provide the "Member Account ID"
  • Role name with path: >>>> Provide the "OrganizationAccountAccessRole"

Set the ARN at the Resources (JSON)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Member Account ID>:role/OrganizationAccountAccessRole"
        }
    ]
}






Add Policy to the User

  • Add "ReadOnly" and the Newly created Policy to the User
  • Administrator Access not needed






Verify the Summary of the User  

  • Copy the User ARN which needed to be updated in 



Procedure on Member Account




Create a Role

  • AWS Services >> IAM >Roles 
  • Create a New Role >> Choose "Another AWS Account" and Provide the Management Account ID
  • Click Next 
  • Add Existing Policy to the Role that is "ReadOnly Access"
  • Click Next 
  • Tags are not Mandatory 
  • Give the Role name as "OrganizationAccountAccessRole"
  • Submit to create the Role 










Add Trusted Relationship 

  • AWS Services >> IAM >Roles 
  • Click on Newly created "OrganizationAccountAccessRole" 
  • The Permission tab will show "ReadOnly Access" 
  • Click on "Trusted RelationShip" >> Edit Trust Relationship >> Give the Management ARN 
  • The Management ARN can is available at the User Summary page  on the Management Account Console, refer the above "Verify the Summary of the User" Section
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Management Account ID>:user/User"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}


Additional Information


Assume an AWS role for temporary Cloud Discovery credentials
Assuming member roles with an AWS API
AWS Organizations and Temporary Credentials
Discovery - Assume Role enhancements for AWS Organizations

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

Attachments

Attachments

  • AddUser.jpg
  • ARN_Resource.jpg
  • MasterAccountID.jpg
  • OrganizationActivity.jpg
  • policies.jpg
  • ReadOnly.jpg
  • STS_Service.jpg
  • User_Summary.jpg

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.